Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

Fix sloppy style that will break clang style detector later once
we rename the .inc file back to be a regular .c file.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

The Known Answer Test (KAT) data, previously in `self_test_data.inc`, is moved
into its own compilation unit, `self_test_data.c`. This separates the large
data definitions from the test execution logic.

This refactoring improves code organization and modularity. A new header,
`self_test_data.h`, is added to declare the data arrays for external linkage.
The shared data structure definitions are moved to `self_test.h` to be
accessible by both the test logic and the data files.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

This causes linters to blow up

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

This commit refines the design for FIPS deferred self-tests by simplifying how
test equivalencies are handled.

The explicit `also_satisfies` list has been removed from the design. Instead
of manually listing which tests are satisfied by another, the new approach
relies on implicit discovery. When a high-level self-test runs, it records all
the underlying cryptographic algorithms that are invoked during its execution.

Upon successful completion of the high-level test, the tests for all recorded
algorithms are automatically marked as passed. This approach is more direct,
less error-prone, and removes the complex logic associated with the previous
explicit dependency lists.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

Refactor the FIPS self-test Known Answer Test (KAT) data definitions to use a
single, unified structure.

A new generic `ST_DEFINITION` struct is introduced to replace the various
algorithm-specific `ST_KAT_*` structs. This new struct contains fields common
to all tests and uses a union to hold the parameters specific to each test
category (cipher, digest, KEM, etc.).

A helper `ST_BUFFER` struct is also added to combine data pointers and their
lengths, simplifying data handling. This refactoring makes the self-test
framework more consistent, easier to maintain, and more extensible.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

The SELF_TEST_kats_single() function runs an individual FIPS Known Answer Test
(KAT) on demand. These tests require a deterministic random bit generator
(DRBG) to be properly initialized to function correctly.

This change ensures a dedicated DRBG is set up for the single test run. The
existing private RNG is saved before the test and restored afterward,
isolating the test's random context from the rest of the library.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

Consolidate separate self-test data arrays into a single `st_all_tests`
array indexed by a new `self_test_id_t` enumeration.

This replaces string-based algorithm lookups with direct array indexing
for running self-tests, simplifying the code and state management. The
`FIPS_DEFERRED_TEST` structure and `self_test_data.h` file are removed,
and the FIPS provider and implementations are updated to use the new
ID-based API.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

Some FIPS Known Answer Tests (KATs) rely on other cryptographic algorithms
that also have their own KATs. This change introduces a formal mechanism to
ensure these dependencies are met before a test is run.

A `depends_on` field is added to the self-test definition to declare
prerequisites. A new recursive function, `FIPS_kat_deferred_execute`,
traverses this dependency chain, executing any required tests first.

This new logic also prevents tests from being run multiple times if they are a
dependency for several other tests. The `FIPS_kat_deferred` function is
updated to use this new dependency-aware execution function.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

The lock for the deferred FIPS self-tests was previously a static
global variable, initialized with CRYPTO_ONCE. This is problematic
when multiple library contexts are used in a single application.

This change moves the lock into the FIPS_GLOBAL structure, making it
per-library-context. The lock is now initialized when the FIPS
provider is initialized and freed when its context is torn down.
This improves encapsulation and avoids global state.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

Update the FIPS module to run self-tests on demand (deferred) rather
than on module load. Change the test definitions in self_test_data.c
from SELF_TEST_ONLOAD to SELF_TEST_DEFERRED.

Add calls to ossl_deferred_self_test() in the newctx functions for
ciphers, digests, signatures, KDFs, KEMs and DRBGs to trigger execution
upon first instantiation. Introduce CIPHER_PROV_CHECK and
DIGEST_PROV_CHECK macros in common headers to facilitate these checks.
Define dependencies for composite tests to ensure prerequisite tests
run when needed.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

The FIPS module integrity check (HMAC-SHA256) is refactored to use the
generic Known Answer Test (KAT) framework instead of a standalone
function.

- Remove `integrity_self_test` and use `ST_ID_MAC_HMAC` with
  `SELF_TEST_kats_single`.
- Add `self_test_mac` to `self_test_kats.c` to support MAC tests.
- Move HMAC test data to `self_test_data.c`.
- Rename the self-test type from "KAT_Integrity" to "KAT_Mac".
- Ensure on-demand tests reset state so they can be repeated.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

Add a self test id to the self test definition structure. This is used as a
sanity check to ensure that a test's enum ID matches its index in the
`st_all_tests` array.

This helps prevent programming errors when adding, removing, or reordering
tests in the future, improving the robustness of the self-test mechanism.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

Introduce `SELF_TEST_STATE_IMPLICIT` to handle recursive self-test calls
when an algorithm is used by another algorithm's self-test (e.g., KDF
using HMAC). This prevents unnecessarily running tests when they are
effectively covered by a parent test.

Refactor `SELF_TEST_kats` and `SELF_TEST_kats_execute` to unify
execution logic, dependency resolution, and RNG setup. Remove the
`deferred` flag from test definitions in favor of dynamic state
evaluation. Explicitly add a dependency for AES-128-ECB on AES-256-GCM.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

FIPS 140-3 IG 10.3.A.8 requires known-answer tests for KDFs. Some of these
tests for PBKDF2 use a low iteration count (e.g., 2) which is below the normal
security threshold and would otherwise fail.

This change checks if a PBKDF2 self-test is in progress and, if so, lowers the
minimum accepted iteration count to 2. This allows the required self-tests to
pass while maintaining the security check for normal operations.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

Reorganize the FIPS self-tests to group them by complexity.

The new order groups tests so that more complex ones are executed before
less complex one when all tests are run on_demand, improving the odds
that lower level tests are implicitly executed as part of higher level
tests and therefore reducing the amount of time spent running redundant
tests.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)

Add a new -defer_tests option to openssl fipsinstall and a corresponding
defer-tests configuration parameter for the FIPS provider.

This allows the execution of self-tests to be postponed until the
first time an algorithm is used, instead of running all tests
during module initialization. This reduces startup time.

Update the self-test framework to handle the new SELF_TEST_STATE_DEFER
state, ensuring deferred tests are skipped at load and run on demand.

Signed-off-by: Simo Sorce <[email protected]>

Reviewed-by: Shane Lontis <[email protected]>
Reviewed-by: Dmitry Belyavskiy <[email protected]>
(Merged from #29222)